Add self-hosted DNS resolver (Unbound)

This commit is contained in:
randomshell 2018-09-16 00:53:33 +02:00 committed by Stanislas
parent 30edb7b769
commit f057e0aa5f
2 changed files with 175 additions and 19 deletions

View File

@ -98,6 +98,7 @@ The script will ask you which DNS resolvers you want to use when connected to th
Here are the possibilities :
- Current system resolvers, those that are in `/etc/resolv.conf`
- Self-hosted resolver thanks to Unbound
- [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers)
- [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers)
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France)
@ -106,7 +107,6 @@ Here are the possibilities :
- [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
- [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers
- Soon : local resolver :D
Any other fast, trustable and neutral servers proposition is welcome.

View File

@ -91,6 +91,109 @@ newclient () {
} >> "$homeDir/$1.ovpn"
}
function installLocalDNS () {
if [[ ! -e /etc/unbound/unbound.conf ]]; then
if [[ "$OS" = "debian" ]]; then
apt-get install -y unbound
echo 'interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf
elif [[ "$OS" = "centos" ]]; then
yum install -y unbound
# Configuration
sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" = "fedora" ]]; then
dnf install -y unbound
# Configuration
sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" = "arch" ]]; then
# Install Unbound
pacman -Syu unbound expat
#Permissions for the DNSSEC keys
chown root:unbound /etc/unbound
chmod 775 /etc/unbound
# Get root servers list
wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
# Configuration
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
echo 'server:
root-hints: root.hints
auto-trust-anchor-file: trusted-key.key
interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
port: 53
do-daemonize: yes
num-threads: 2
use-caps-for-id: yes
harden-glue: yes
hide-identity: yes
hide-version: yes
qname-minimisation: yes
prefetch: yes' > /etc/unbound/unbound.conf
fi
if [[ ! "$OS" =~ (fedora|centos) ]];then
# DNS Rebinding fix
echo "private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
fi
else
# Unbound is already installed
echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
# Add OpenVPN integration
echo 'server:
interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
fi
if pgrep systemd-journal; then
systemctl enable unbound
systemctl start unbound
else
service unbound restart
fi
}
# Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
@ -225,6 +328,37 @@ if [[ -e /etc/openvpn/server.conf ]]; then
done
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
if [[ -e /etc/unbound/openvpn.conf ]]; then
# Remove OpenVPN-related config
sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
rm /etc/unbound/openvpn.conf
service unbound restart
until [[ $REMOVE_UNBOUND == "y" || $REMOVE_UNBOUND == "n" ]]; do
echo ""
echo "If you were already using Unbound before installing OpenVPN, I removed the configuration related to OpenVPN."
echo "You can keep using Unbound as before."
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done
if [[ "$REMOVE_UNBOUND" = 'y' ]]; then
if [[ "$OS" = 'debian' ]]; then
apt-get autoremove --purge -y unbound
elif [[ "$OS" = 'arch' ]]; then
pacman -R unbound --noconfirm
else
yum remove unbound -y
fi
echo ""
echo "Unbound removed!"
else
echo ""
echo "Unbound not removed!"
fi
fi
echo ""
echo "OpenVPN removed!"
else
@ -291,16 +425,33 @@ else
echo ""
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (from /etc/resolv.conf)"
echo " 2) Cloudflare (Anycast: worldwide)"
echo " 3) Quad9 (Anycast: worldwide)"
echo " 4) FDN (France)"
echo " 5) DNS.WATCH (Germany)"
echo " 6) OpenDNS (Anycast: worldwide)"
echo " 7) Google (Anycast: worldwide)"
echo " 8) Yandex Basic (Russia)"
echo " 9) AdGuard DNS (Russia)"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do
read -rp "DNS [1-9]: " -e -i 1 DNS
echo " 2) Self-hosted DNS Resolver (Unbound)"
echo " 3) Cloudflare (Anycast: worldwide)"
echo " 4) Quad9 (Anycast: worldwide)"
echo " 5) FDN (France)"
echo " 6) DNS.WATCH (Germany)"
echo " 7) OpenDNS (Anycast: worldwide)"
echo " 8) Google (Anycast: worldwide)"
echo " 9) Yandex Basic (Russia)"
echo " 10) AdGuard DNS (Russia)"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 10 ]; do
read -rp "DNS [1-10]: " -e -i 1 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo ""
echo "Unbound is already installed."
echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
echo "No changes are made to the current configuration."
echo ""
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
done
if [[ $CONTINUE = "n" ]];then
DNS=""
CONTINUE=""
fi
fi
done
echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
@ -591,35 +742,40 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
2) # Cloudflare
2)
# Install Unbound
installLocalDNS
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
;;
3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
;;
3) # Quad9
4) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
;;
4) # FDN
5) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
;;
5) # DNS.WATCH
6) # DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
;;
6) # OpenDNS
7) # OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
7) # Google
8) # Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
8) # Yandex Basic
9) # Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;;
9) # AdGuard DNS
10) # AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;